Provisioning Dial Access to MPLS VPN Integration
|
|
- Mercy Martin
- 8 years ago
- Views:
Transcription
1 CHAPTER 3 Provisioning Dial Access to MPLS VPN Integration This chapter describes how to provision each of the methods of dial access to MPLS (Multiprotocol Label Switching) VPN (virtual private network) integration. It covers the following subjects: Provisioning Dial-In Access, page 3-1 Provisioning L2TP dial-in Provisioning direct ISDN PE dial-in Because many of the configuration tasks for these two methods are the same, they are described in a single section, with differences noted where a task applies to only one of the access methods. Provisioning L2TP Dial Backup, page 3-18 Provisioning Dial-out Access, page 3-20 Provisioning L2TP dial-out Provisioning direct ISDN dial-out The chapter also includes a section on Sample Configurations, page Descriptive overviews of the dial access methods and related features are covered in Chapter 2, Overview of Dial Access to MPLS VPN Integration. Provisioning Dial-In Access Before You Begin The procedures provided here are specific to provisioning remote access to an MPLS VPN and are based on two assumptions: 1. That the following setup and configuration tasks have already been carried out: Setup of the MPLS core network Setup of the customer VPN Configuration of the links between the provider edge router (PE) and the customer edge router (CE) 3-1
2 Provisioning Dial-In Access Chapter 3 2. That you have a good understanding of the architecture and features you are using and that you have selected the means you will use for implementing those features (for example, which of several strategies you will use for address management or for user authentication and authorization). See Chapter 2, Overview of Dial Access to MPLS VPN Integration for information that will help you understand the dial architectures and decide on your implementation approach. Dial-In Provisioning Checklist Table 3-2 lists provisioning tasks for L2TP dial-in and for direct ISDN PE dial-in. Procedures for completing each task are described in the sections that follow. If you are viewing this document online, you can click on highlighted text to get details on the procedure. Table 3-1 Checklist of Tasks for Dial-in Provisioning Task L2TP Dial-In Direct ISDN PE Dial-In Before you begin, read the Cisco Remote Access to MPLS VPN Integration 2.0 Release s at n/rampls2/relnote/index.htm Do initial, one-time setup Task 1. Configure the PE Routers for MPLS. On the VHG/PE On the NAS/PE Task 2. Configure the SP AAA RADIUS Server with Client Information. Task 3. Configure RADIUS AAA on the Querying Device. On the SP AAA server: NAS/LAC client information VHG/PE client information On the NAS/LAC On the VHG/PE On the SP AAA server: NAS/PE client information On the NAS/PE Add new customer groups as needed Task 1. Configure L2TP Information for New Customers On the NAS/LAC or the (L2TP only). SP AAA RADIUS server Task 2. Configure VRF Information for the Customer Group. On the VHG/PE On the NAS/PE Task 3. Configure VPDN Information for the Customer Group On the VHG/PE (L2TP only). Task 4. Configure Authentication and Authorization. On one of the following, depending on how you are handling authentication and authorization: On the SP AAA server VHG/PE SP AAA RADIUS server (Proxy) SP AAA RADIUS server and customer AAA RADIUS server 3-2
3 Chapter 3 Provisioning Dial-In Access Table 3-1 Checklist of Tasks for Dial-in Provisioning (continued) Task L2TP Dial-In Direct ISDN PE Dial-In Task 5. Configure Accounting Between the VHG/PE or NAS/PE and the Access Registrar. Task 6. Configure Address Management. Task 7. (If You Are Using MLP) Configure LCP Renegotiation and Enable MLP for Users in the Group. Task 8. (If You Are Using MMP) Configure SGBP on Each Stack Group Member. Miscellaneous Component Configurations On VHG/PE On VHG/PE or On SP AAA server On VHG/PE On each VHG/PE in the stack group On NAS/PE On NAS/PE or On SP AAA server On NAS/PE On each NAS/PE in the stack group For miscellaneous component configuration details, refer to the documentation listed in Table 3-2. Table 3-2 Miscellaneous component configurations Component Cisco Access Registrar Cisco Network Registrar MPLS VPN PE (IOS Release 12.2x) MPLS VPNSC 2.1 Documentation Location cftagc.htm Initial, One-Time Setup Tasks These tasks are done once and are not specific to a particular customer or VPN. Task 1. Configure the PE Routers for MPLS In L2TP dial-in, configure the VHG/PE routers. In direct ISDN PE dial-in, configure the NAS/PE routers. Perform the following steps: Configure the loopback interface: Router (config)# interface loopback [number] Configure IGP (OSPF or IS-IS). 3-3
4 Provisioning Dial-In Access Chapter 3 For details on configuring OSPF, refer to spf.htm. For details on configuring IS-IS, refer to is.htm Step 3 Step 4 Step 5 On the interface connected to the MPLS core, use the following commands to configure CEF and label switching: a. Router (config)# ip cef b. Router (config-if)# tag-switching ip Use the following commands to configure a BGP peer from the VHG/PE or the NAS/PE to loop back on the remote PEs: a. Router (config)# router bgp [autonomous system number of sp] b. Router (config-router)# neighbor [ip address of the first remote pe] remote-as [same autonomous number] c. Router (config-router)# neighbor [ip address of first remote pe] update-source Loopback0 d. Repeat (b) and (c) for each remote PE. Use the following commands to configure the BGP session to exchange VPN-IPV4 route prefixes for each remote PE: a. Router (config-router)# address-family vpnv4 b. Router (config-router-af)# neighbor [ip address of first remote pe] activate c. Router (config-router-af)# neighbor [ip address of first remote pe] send-community extended d. Repeat (b) and (c) for each remote PE. Table 3-3 provides links to relevant Cisco router configuration documentation. Table 3-3 PE Routers and Configuration Documentation Platform Cisco 7200-NPE300/NPE400 series routers Cisco 7500 series routers Cisco 6400-NRP1/NRP2 series routers Documentation Location o#hardware_installation_%26_configuration Task 2. Configure the SP AAA RADIUS Server with Client Information You must perform this task if you are using a AAA RADIUS server in your network to provide address management or user authentication, authorization, and accounting. 3-4
5 Chapter 3 Provisioning Dial-In Access On the AAA RADIUS server, perform the steps in the following section to configure the Cisco Access Registrar (AR) application with information for either of the following dial-in situations: L2TP dial-in, where the SP AAA RADIUS server can be queried for user information by the VHG/PE, or for L2TP information by the NAS/LAC, or both. Direct ISDN PE dial-in, where the AAA SP RADIUS server is queried by the NAS/PE. Configure the SP AAA RADIUS Server for L2TP Dial-In Use the following commands to configure the NAS/LAC client information: a. Enter CLI configuration mode of AR: admin@sun-ar% aregcmd -s b. Change to the client directory: --> cd /radius/clients c. Add the NAS/LAC router name to the client directory: --> add [name of NAS/LAC] d. Define the IP address and shared key of the NAS/LAC: --> cd to the new directory --> set ipaddress [ip address] --> set sharedsecret [sharedsecret] Repeat to configure VHG/PE client information. Configure the SP AAA RADIUS Server for Direct ISDN PE Dial-In Use the following commands to configure the NAS/PE client: Enter CLI configuration mode of AR: admin@sun-ar% aregcmd -s Change to the client directory: --> cd /radius/clients Step 3 Add the NAS/PE router name to the client directory: --> add [name of NAS/PE] Step 4 Define the IP address and shared key of the NAS/PE : --> cd to the new directory --> set ipaddress [ip address] --> set sharedsecret [sharedsecret] For AR configuration details, refer to 3-5
6 Provisioning Dial-In Access Chapter 3 Task 3. Configure RADIUS AAA on the Querying Device This task is required if you are using an AAA RADIUS server in your network to provide address management or user authentication, authorization, and accounting. Perform the following steps on whichever device queries the SP AAA RADIUS server the NAS/LAC or VHG/PE (in L2TP dial-in) or the NAS/PE (in direct ISDN PE dial-in): Enable the device to use the RADIUS protocol for authorization and authentication: a. Router (config)# aaa new-model b. Router (config)# aaa authentication ppp default local group radius c. Router (config)# aaa authorization network default local group radius Use the following command to configure the RADIUS server on the device: Router (config)# radius-server host [ip address of radius server] key [sharedscret] The sharedsecret must match the sharedsecret defined in d of Task 2. Configure the SP AAA RADIUS Server with Client Information on page 3-4. Task 4. On the RADIUS AAA Server, Configure a Per-user Static Route Using the Framed-route Attribute To use the cisco VSA route command, enter: cisco-avpair ip:route = vrf vrf-name [next hop ip address(opt)] To use the framed route attribute, enter: framed-route = [next hop ip address(opt)] To use the framed-ip-address /framed-netmask (same function as framed route above), enter: framed-route = /24 [next hop ip address(opt)] Example 3-1 Example of RADIUS Access Registrar Configuration [ //localhost/radius/profiles/827-fr/attributes ] cisco-avpair = "lcp:interface-config#1= ip vrf forwarding FRtest.com" cisco-avpair = "lcp:interface-config#2= ip unnumbered FastEthernet0/0" cisco-avpair = "lcp:interface-config#3= encapsulation ppp" Framed-IP-Address = Framed-IP-Netmask = Framed-Protocol = ppp Framed-Routing = None Service-Type = Framed Adding New Customer Groups Perform the tasks described in the following sections for each new customer group. 3-6
7 Chapter 3 Provisioning Dial-In Access Task 1. Configure L2TP Information for New Customers (L2TP only) To configure L2TP information for new customers, do one of the following. The option you select depends on where the L2TP information is stored, on the NAS/LAC or on the AAA server. Option 1. Configure L2TP Information Locally on the NAS/LAC Option 2. Configure L2TP Information on the AAA Server Option 1. Configure L2TP Information Locally on the NAS/LAC Perform the following steps to configure local L2TP information on the NAS/LAC: Step 3 Enable VPDN on the access server: Router (config)# vpdn enable Enable the search order to look up L2TP tunnels: Router (config)# vpdn search-order domain dnis Define a new VPDN group for each user: a. Router (config)# vpdn-group [number] b. Router (config-vpdn)# request-dialin c. Router (config-vpdn-req-in)# protocol l2tp d. Router (config-vpdn-req-in)# domain [domain name] Use the domain name syntax for VPDN customers and the dnis [number] syntax for DNIS customers. Step 4 e. Router (config-vpdn-req-in)# exit f. Router (config-vpdn)# initiate-to ip [ip address of VHG] Define a local username and password for tunnel authentication: Router (config)# username [hostname] password [tunnel password] By default, the host name used in the L2TP tunnel authentication is the host name of the router. You can change this by adding the following command to the VPDN group: Router (config-vpdn)# local name [hostname] Option 2. Configure L2TP Information on the AAA Server Perform the following steps to configure L2TP information on the AAA server: On the NAS/LAC, enable VPDN: Router (config)# vpdn enable Enable the search order to look up L2TP tunnels: Router (config)# vpdn search-order domain dnis 3-7
8 Provisioning Dial-In Access Chapter 3 Step 3 Step 4 On the AAA server, enable AAA to look up L2TP information. For details, see Task 3. Configure RADIUS AAA on the Querying Device on page 3-6. On the AAA server, configure the AR to receive L2TP information: a. Add a service to the AR: --> add /Radius/Services/[service name] [service name description] local "" "" RejectAll "" [userlist name] --> set /Radius/DefaultAuthenticationService [service name] --> set /Radius/DefaultAuthorizationService [service name] You can also select the authentication and authorization service with scripting. For Access Registrar (AR) configuration details, refer to b. Add a user list to the AR: --> add /Radius/Userlists/[userlist name] The user list name must match the user list name defined in Step a. Add a service to the AR: c. Add tunnel names to user lists: --> add /Radius/UserLists/[userlist name]/[domain name][domain name description] cisco TRUE "" [attributes list] The userlist name must match the userlist name defined in Step a, Add a service to the AR:. All user records inside the AR database containing tunnel information must have cisco entered in the password field. The command for adding a DNIS user is: --> add /Radius/UserLists/[userlist name]/dnis:[dnis number] [dnis description] cisco TRUE "" [attributes list] d. Add tunnel attributes: --> add /Radius/Profiles/[attributes list] --> cd /Radius/Profiles/[attributes list]/attributes --> set tunnel-medium-type_tag1 1 --> set tunnel-password_tag1 [tunnel password] --> set tunnel-server-endpoint_tag1 [vhg ip address] --> set tunnel-type_tag
9 Chapter 3 Provisioning Dial-In Access If you are using AR 1.6 Revision 1 or higher, the syntax for the following commands changes from what is given above: --> set tunnel-medium-type_tag1 ipv4 --> set tunnel-type_tag1 l2tp Task 2. Configure VRF Information for the Customer Group To configure the customer virtual routing/forwarding instance (VRF), which is information associated with a specific VPN, perform the following steps on the VHG/PE or NAS/PE. Before you begin, make sure you have performed the initial BGP configuration in Task 1. Configure the PE Routers for MPLS on page 3-3. Define the VRF: a. Router (config)# ip vrf [vpn name] b. Router (config-vrf)# rd [route descriptor value] c. Router (config-vrf)# route-target import [route target value] d. Router (config-vrf)# route-target export [route target value] Configure the loopback interface: a. Router (config)# interface loopback [number] b. Router (config-if)# ip vrf forwarding [vpn name] The vpn name must match that defined in a above. Step 3 c. Router (config-if)# ip address [ip address] [netmask] Configure the BGP session to transport VRF information: a. Router (config)# router bgp [autonomous system number] The autonomous system number must match that defined in Step 4a of Task 1. Configure the PE Routers for MPLS on page 3-3. b. Router (config-router)# address-family ipv4 vrf [vpn name] c. Router (config-router-af)# redistribute connected metric 1 Task 3. Configure VPDN Information for the Customer Group (L2TP only) To configure VPDN information for the customer group, perform the following steps: 3-9
10 Provisioning Dial-In Access Chapter 3 Enable VPDN on the VHG/PE: Router (config)# vpdn enable Define a new VPDN group for each user: VPDN on a home gateway is stored locally on the VHG/PE. a. Router (config)# vpdn-group [number] b. Router (config-vpdn)# accept-dialin c. Router (config-vpdn-acc-in)# protocol l2tp d. Router (config-vpdn-acc-in)# virtual-template [virtual template number] e. Router (config-vpdn-acc-in)# exit f. Router (config-vpdn)# terminate-from hostname [hostname] The host name must match the host name defined in Step 4 of Task 1. Configure L2TP Information for New Customers (L2TP only) on page 3-7. Step 3 Define a local username and password for tunnel authentication: Router (config)# username [hostname] password [tunnel password] Task 4. Configure Authentication and Authorization To configure components where user authentication and authorization take place, use one of the following options. (The choice you make depends on your strategy for authentication and authorization.) Option 1. Configure Local Authentication on the VHG/PE (L2TP Only). Option 2. Configure Authorization and Authentication on the SP AAA RADIUS Server. Option 3. Configure Proxy AAA (L2TP Only). Here the SP AAA RADIUS server queries the customer AAA RADIUS server. Task 4. On the RADIUS AAA Server, Configure a Per-user Static Route Using the Framed-route Attribute. Option 1. Configure Local Authentication on the VHG/PE (L2TP Only) Local authentication is not used with direct ISDN PE dial-in. To configure user authentication and authorization on the VHG/PE, perform the following steps: Create a virtual template: a. Router (config)# interface virtual-template [number] 3-10
11 Chapter 3 Provisioning Dial-In Access The virtual template number must match the virtual template number defined in d of Task 2. Configure VRF Information for the Customer Group on page 3-9. b. Router (config-if)# ip vrf forwarding [vpn name] The vpn name must match the vpn name in a of Task 2. Configure VRF Information for the Customer Group on page 3-9. c. Router (config-if)# ip unnumbered loopback [loopback number] The loopback number must match the loopback number in a of Task 2. Configure VRF Information for the Customer Group on page 3-9. d. Router (config-if)# ppp authentication chap callin For each user in the customer group, use the following command to configure a username and password: Router (config)# username [username@domain] password [user password] Option 2. Configure Authorization and Authentication on the SP AAA RADIUS Server To configure user authentication and authorization on the SP AAA RADIUS server, perform the following steps: Configure the VHG/PE or NAS/PE with information on the MPLS group: a. Router (config)# aaa new-model b. Router (config)# aaa authentication ppp default local group radius c. Router (config)# aaa authorization ppp default local group radius d. Router (config)# virtual-profile aaa e. Router (config)# interface virtual-template [number] The virtual template number must match the virtual template number in d of Task 2. Configure VRF Information for the Customer Group on page 3-9. f. Router (config-if)# ppp authentication chap callin g. Router (config-if)# exit h. Router (config)# radius-server host [radius server ip address] key [sharedsecret] Configure the AR with VHG/PE or NAS/PE client information: a. Add the VHG/PE or NAS/PE as a client: --> add /Radius/Clients/[vhg name] [vhg description] [vhg ip address] [sharedsecret] NAS "" [script ] 3-11
12 Provisioning Dial-In Access Chapter 3 The script indicates which service needs to be selected for VPDN user authorization and authentication. b. Add the service: --> add /Radius/Services/[vpdn name] {vpdn description] local "" "" RejectAll "" [vpdn userlist name] The VPDN name is derived from the username that is sent by the VHG within the RADIUS access request packet. This information is provided by the script in a. For scripting procedures, refer to c. Add the user list: --> add /Radius/Userlists/[vpdn userlist name] d. Add individual VPDN users for the user list: --> add /Radius/UserLists/[vpdn userlist name]/[vpdn username] [vpdn user description] [vpdn user password] TRUE "" [vpdn user attributes] e. Define attributes for selecting the VPN service: --> add /Radius/Profiles/[vpdn user attrbutes] --> cd /Radius/Profiles/[vpdn user attrbutes]/attributes --> set service-type framed --> set framed-protocol ppp --> set cisco-avpair "lcp:interface-config=ip vrf forwarding [vpn name]\\n ip unnumbered Loopback [number] If you are configuring dial backup, see Option 1. Configure Static Routing on page The vpn name must match the vpn name in a of Task 2. Configure VRF Information for the Customer Group on page 3-9. The loopback number must match the loopback number in a of Task 2. Configure VRF Information for the Customer Group on page 3-9. Option 3. Configure Proxy AAA (L2TP Only) To configure proxy AAA, perform the following steps: Configure the VHG/PE: a. Router (config)# aaa new-model 3-12
13 Chapter 3 Provisioning Dial-In Access b. Router (config)# aaa authentication ppp default local group radius c. Router (config)# aaa authorization ppp default local group radius d. Router (config)# virtual-profile aaa e. Router (config)# interface virtual-template [number] The virtual template number must match the virtual template number defined in d of Task 2. Configure VRF Information for the Customer Group on page 3-9. f. Router (config-if)# ppp authentication chap callin g. Router (config-if)# exit h. Router (config)# radius-server host [radius server ip address] key [sharedsecret] Configure the SP AAA RADIUS server: a. Add the VHG as a client: --> add /Radius/Clients/[vhg name] [vhg description] [vhg ip address] [sharedsecret] NAS "" [script ] The script indicates which service needs to be selected for VPDN user authorization and authentication. b. Add remote AA servers to which you proxy AA information: --> add /Radius/RemoteServers/[remote server host name] [remote server description] radius [remote server ip address] [sharedsecret] The remote server IP address cannot be reached from the SP AAA server because the MPLS service provider cloud does not have VPN customer routing information. To provide the SP AAA server with routing information, use route leaking or a management VPN. For information on VPN management refer to c. Add a service: --> add /Radius/Services/[vpdn name] [vpdn description] radius --> cd /Radius/Services/[vpdn name]/remoteservers --> set 1 [remote server host name] The VPDN name is derived from the username that is sent by the VHG/PE in the RADIUS access request packet. This information is provided by the script in a. For scripting procedures, refer to Task 5. Configure Accounting Between the VHG/PE or NAS/PE and the Access Registrar To configure accounting between the VHG/PE or NAS/PE and the AR, perform the following steps: 3-13
14 Provisioning Dial-In Access Chapter 3 Make sure you have performed the configuration of the user authentication and authorization on your AAA server, described in Task 4. Configure Authentication and Authorization on page Configure the VHG/PE. a. Router (config)# aaa accounting network default start-stop group radius Configure the AR. --> add /radius/services/[ accounting service name] --> cd /radius/services/[ accounting service name] --> set type file The accounting service name is derived from the username that is sent by the VHG/PE in the RADIUS accounting request packet. This information is provided by the script in a. For scripting procedures, refer to Task 6. Configure Address Management Configure address management using one of the following procedures. The procedure you select depends on the address management strategy you are using. Option 1. Configure Local Overlapping Address Pools on the VHG/PE or NAS/PE Option 2. Configure Address Management on the SP AAA RADIUS Server Option 3. Configure ODAP on the VHG/PE or NAS/PE Option 4. Configure the RADIUS AR for ODAP Option 1. Configure Local Overlapping Address Pools on the VHG/PE or NAS/PE To configure address management using local overlapping address pools, perform the following steps on the VHG/PE or NAS/PE: Create an address pool on the VHG/PE: Router (config)# ip local pool [vpn customer address pool] [start ip address] [end ip address] Perform one of the following steps. The step you select depends on how you configured user authentication and authorization in Task 4. Configure Authentication and Authorization on page If you configured user authentication and authorization on the VHG/PE, add the following command to the virtual template configuration: Router (config-if)# peer default ip address pool [vpn customer address pool] If you configured user authentication and authorization on the AAA server, add the following command to the attributes for selecting VPN service: --> set cisco-avpair "lcp:interface-config=ip vrf forwarding [vpn name]\\n ip unnumbered Loopback[number]\\n peer default ip address pool [vpn customer address pool] 3-14
15 Chapter 3 Provisioning Dial-In Access Option 2. Configure Address Management on the SP AAA RADIUS Server To configure address management on the SP AAA RADIUS server, perform the following steps. Make sure you have performed the accounting configuration in Task 5. Configure Accounting Between the VHG/PE or NAS/PE and the Access Registrar on page Accounting is mandatory for address management on a RADIUS server. Define the resource manager: a. --> add /Radius/ResourceManagers/[resource manager for vpn customer] b. --> cd /Radius/ResourceManagers/[resource manager for vpn customer] c. --> set type ip-dynamic d. --> set netmask e. --> cd IPaddresses f. --> add [ip address range for address pool] Define the session manager: a. --> add /Radius/SessionManagers/[session manager name ] b. --> cd /Radius/SessionManagers/[session manager name]/resourcemanagers c. --> add 1 [resource manager for vpn customer] The session manager name is derived from the domain name that is sent by the VHG/PE in the RADIUS access request packet. This information is provided by the script in a. For scripting procedures, refer to Option 3. Configure ODAP on the VHG/PE or NAS/PE If you are implementing ODAP, perform the following steps on VHG/PE or NAS/PE. Step 3 Step 4 Configure a DHCP address pool on a Cisco IOS DHCP server. Router(config)# ip dhcp pool address pool name Tie the pool to a particular VPN. a. Router(config-dhcp)# vpn type 1 vrf name b. Router(config-dhcp)# origin aaa autogrow size Configure the network access server to recognize and use vendor-specific attributes. a. Router(config)# radius-server host ip address b. Router(config)# radius-server key string c. Router(config)# radius-server vsa send accounting d. Router(config)# radius-server vsa send authentication Enable an address pooling mechanism used to supply IP addresses. 3-15
16 Provisioning Dial-In Access Chapter 3 Step 5 Step 6 Router(config)# ip address-pool dhcp-pool Create a virtual template interface. Router(config)# interface virtual-template number Specify an address from the DHCP mechanism to be returned to a remote peer connecting to this virtual-template interface. Router(config-if)# peer default ip address dhcp-pool Since the user name might be the same as the VPDN domain name, either use scripts on the RADIUS AR to differentiate between requests for subnets and VPDN information, or make the VRF name different from the domain name. Example 3-2 ODAP Configuration Example aaa authorization configuration default group radius aaa accounting network default start-stop group radius (to release subnets accounting needed) ip dhcp pool odap-test vrf <vrf-name> (part of access-request username) origin aaa subnet size initial /27 autogrow /27 radius-server host radius-server key wwradius-server vsa send accounting (VSA attributes in accounting packet) radius-server vsa send authentication (VSA attributes in access-request packet) ip address-pool dhcp-pool (global command use local DHCP VRF pools) int virtual-template X peer default ip address dhcp-pool Option 4. Configure the RADIUS AR for ODAP To configure the RADIUS AR for ODAP, use a script that accomplishes the following: Selects a service with its name <vrf name>-odap and a session manager with the same name as the service Configures the resource manager for ODAP Cisco AR 1.7 R1 has been enhanced to make ODAP functionality more accessible and to enable ODAP requests and normal user authentication to occur on the same Cisco AR server. To achieve this functionality, a new Cisco vendor script CiscoWithODAPIncomingScript was written to direct ODAP requests to particular services and session managers. CiscoWithODAPIncomingScript also provides the same functionality as the previous CiscoIncomingScript. Additionally, Cisco AR 1.7 R1 has a new vendor type, CiscoWithODAP which references CiscoWithODAPIncomingScript as its IncomingScript and references the existing script, CiscoOutgoingScript, as its Outgoing Script. For Cisco AR configuration details, see Task 7. (If You Are Using MLP) Configure LCP Renegotiation and Enable MLP for Users in the Group If you are implementing MLP, perform the following steps on the VHG/PE or NAS/PE: 3-16
17 Chapter 3 Provisioning Dial-In Access (L2TP only) On the VHG/PE, configure LCP renegotiation so that requests from the LAC are not rejected. For each customer group, enter these commands on the VPDN group: a. Router (config)# vpdn-group [number] The vpdn-group number is the number defined for this group in Task 3. Configure VPDN Information for the Customer Group (L2TP only) on page 3-9. b. Router (config)# lcp renegotiation always Without LCP renegotiation, the NAS/LAC might reject MLP requests during initial LCP negotiation between the dial-in user and the NAS/LAC. Use the following command on the virtual template (in L2TP dial-in) or the physical interface or rotary dialer group (in direct ISDN PE dial-in) to enable MLP for users in the group: Router (config)# enable mlppp Enabling MLP is exactly the same in this context as in a non-mpls environment. For more information, refer to ppp.htm. Task 8. (If You Are Using MMP) Configure SGBP on Each Stack Group Member To use MMP, you must also implement MLP. See Task 7. (If You Are Using MLP) Configure LCP Renegotiation and Enable MLP for Users in the Group, page If you are implementing MMP, perform the following steps to configure SGBP on each stack group member (VHG/PE or NAS/PE). Do not define more than one stack group on the same router. In this example, you are configuring stack group member C. Define a stack group: Router (config)# sgbp group <stack-group-name> Where <stack-group-name> is the name of the stack group. A stack group name is a unique name used for all members of the group. Define the username and the password for stack group member authentication between members of the group: Router (config)# user <stack-group-name> password <password> The username and password must be the same for all members of the group. 3-17
18 Provisioning Dial-In Access Chapter 3 Step 3 Specify the host name and IP address of each stack group peer of this router. For each peer (but not for the local system), enter the following command: Router (config)# sgbp member <peer-name> <peer-ip-address> Provisioning L2TP Dial Backup You provision L2TP dial backup in the same way as L2TP dial-in (see Dial-In Provisioning Checklist on page 2), with the following differences: The same remote CE is used for the primary and the backup link. Because dial backup ordinarily connects remote sites, not remote users, to a customer VPN, address assignment is not needed. Backup links are typically MLP links, and an IGP routing protocol can be configured on the backup link. Static or dynamic routing must be provisioned. Authentication of the remote CE is similar to remote user authentication in L2TP dial-in. If you are managing the CE, the SP AAA server can authenticate the remote CE; proxy authentication is not needed. Accounting records, including MLP information, are maintained for the duration of the backup session. As with L2TP dial-in, accounting can be implemented through use of the SP AAA server or AAA proxy. For more information on dial backup technology, refer to Dial Backup Configuration in the Cisco IOS Dial Technologies Configuration Guide, Release 12.2 at tm. Configuring Routing on a Backup CE-PE Link Option 1. Configure Static Routing In dial backup, either static or dynamic routing can be used, depending on whether dynamic routing is enabled on the primary link. If dynamic routing is not enabled on the primary link between the CE and the VHG/PE, you must configure static VRF routes for the backup link on the VHG/PE. When the primary link goes down because of lack of connectivity, the primary static route is withdrawn. For the backup PPP session, the static route is downloaded from the RADIUS AAA server as part of the virtual profile, and the route is inserted into the appropriate VRF when the backup virtual interface is brought up. When the primary link is restored, the primary static VRF route is also restored, and the CE terminates the backup connection. The PE then deletes the backup static VRF route. If dynamic routing is enabled on the primary CE-PE link, you should configure dynamic routing for the backup link also. Where static routing is used for the backup link, the static route is configured on the SP RADIUS AAA server as part of the virtual profile and downloaded to the VHG/PE. The route is inserted into the appropriate VRF when the backup virtual interface is brought up. 3-18
19 Chapter 3 Provisioning Dial-In Access To configure static routing, perform the following steps: On the AAA RADIUS server, modify the Cisco vendor-specific attribute route command. Change: --> cisco-avpair ip:route = <nexthop IP address netmask> (the next hop IP address is optional) to --> cisco-avpair ip:route = vrf [vrf-name] <nexthop IP address netmask> Defining the next hop IP address configures static routing. When the CE requests an IP address for the PPP link, the next hop will be set to this address. (If the next hop is not defined, routing is dynamic.) Download the above information to the VHG/PE. Option 2. Configure Dynamic Routing Where you have configured dynamic routing on the primary CE-PE link, also configure dynamic routing on the backup VHG/PE. To configure dynamic routing, perform the following steps on the VHG/PE: Step 3 Step 4 Step 5 Configure a loopback interface to forward traffic to the appropriate VRF: a. Router (config-if)# interface loopback 1 b. Router (config-if)# ip vrf forwarding [vrf-name] Assign an address in a.b.c.d format (an IP address on the VHG/PE) to the loopback interface: Router (config-if)# ip address [a.b.c.d] Configure the IGP instance (such as RIP, in this example) for this VRF: a. Router (config-if)# router rip b. Router (config-if)# address-family ipv4 vrf [vrf-name] Make network a.b.c.d part of the IGP: Router (config-router-at)# network a For example, if the IP address in is , enter network Use a virtual template to download virtual access interface-specific settings from the SP AAA RADIUS server. a. Add the service: --> add /Radius/Services/[vpdn name] {vpdn description] local "" "" RejectAll "" [vpdn userlist name] The VPDN name is derived from the PPP session username that is sent by the VHG/PE in the RADIUS access request packet. This information is provided by the script in Task 4, Configure Authentication and Authorization, Option 2. Configure Authorization and Authentication on the SP AAA RADIUS Server. For scripting procedures, refer to b. Add the user list: 3-19
20 Provisioning Dial-out Access Chapter 3 --> add /Radius/Userlists/[vpdn userlist name] c. Add individual VPDN users for the user list: --> add /Radius/UserLists/[vpdn userlist name]/[vpdn username] [vpdn user description] [vpdn user password] TRUE "" [vpdn user attrbutes] d. Define attributes for selecting the VPN service: --> add /Radius/Profiles/[vpdn user attrbutes] --> cd /Radius/Profiles/[vpdn user attrbutes]/attributes --> set service-type framed --> set framed-protocol ppp --> set cisco-avpair "lcp:interface-config=ip vrf forwarding [vpn name]\\n ip unnumbered Loopback [number] The vpn name must match the vpn name in a of Task 2. Configure VRF Information for the Customer Group on page 3-9. The loopback number must match the loopback number in a of Task 2. Configure VRF Information for the Customer Group on page 3-9. The virtual interface should be unnumbered to the loopback interface. If you are using a third-party RADIUS server, use the PPP session username to select the RADIUS record. The RADIUS record should contain the attributes in the set cisco-avpair command above. Provisioning Dial-out Access Provisioning dial-out access is similar to provisioning dial-in access, with these exceptions: For users to be able to place dial-out calls, you must configure dialer profiles on the VHG/PE (in L2TP dial-out) or on the NAS/PE (in direct ISDN PE dial-out). No AAA RADIUS configuration is needed, because user information is directly implemented on the dialer profile interface configured on the dial-out router. Before You Begin The procedures provided here are specific to provisioning remote access to an MPLS VPN and are based on two assumptions: 1. That the following setup and configuration tasks have already been carried out: Setup of the MPLS core network Setup of the customer VPN Configuration of the links between the PE and the CE 3-20
21 Chapter 3 Provisioning Dial-out Access 2. That you have a good understanding of the architecture and features you are using and that you have selected the means you will use for implementing those features (for example, which of several strategies you will use for address management or for user authentication and authorization). See Chapter 2, Overview of Dial Access to MPLS VPN Integration for information that will help you understand the dial architectures and decide on your implementation approach. Dial-Out Provisioning Checklist Table 3-4 lists tasks for dial-out provisioning. Procedures for completing each task are described in the sections that follow. If you are viewing this document online, you can click on highlighted text to get details on the procedure. Table 3-4 Checklist of Tasks for Dial-out Provisioning Task L2TP Dial-Out Direct ISDN PE Dial-Out Before you begin, read the Cisco Remote Access to MPLS VPN Integration 2.0 Release s at n/rampls2/relnote/index.htm Task 1. Configure the Dialer Profile. On the VHG/PE On the NAS/PE Task 2. Configure the VPDN Group (L2TP Only). On the VHG/PE Task 3. Configure a Static Route in the Customer VRF. On the VHG/PE and On the NAS On the NAS/PE Task 4. Configure VPDN on the NAS (L2TP only). On the NAS Miscellaneous Component Configurations For miscellaneous component configuration details, see Table 3-2. Task 1. Configure the Dialer Profile In this task, you configure a dialer profile (on the VHG/PE or NAS/PE) to be part of the customer VRF. In L2TP dial-out, you also configure the dialer profile to use a VPDN group. On the VHG/PE or NAS/PE, include the following command in the dialer profile: Router (config-if)# ip vrf forwarding [vpn name] (L2TP only) On the VHG/PE, include the dialer vpdn command in the dialer profile to configure the dialer profile for L2TP: Router (config-if)# dialer vpdn In Example 3-3, the commands listed above are in bold. The dialer profile defined is Dialer50. The vpn name is V1.17.com. The dialer pool number, 4, is referenced in the configuration of the VPDN group in Task
22 Provisioning Dial-out Access Chapter 3 Example 3-3 VHG/PE Dialer Profile Configuration (L2TP dial-out) interface Dialer50 ip vrf forwarding V1.17.com ip unnumbered Loopback172 encapsulation ppp no keepalive dialer pool 4 dialer remote-name U0001N1P4V1.17@V1.17.com dialer idle-timeout dialer string dialer load-threshold 5 either dialer vpdn dialer-group 1 peer default ip address no cdp enable ppp authentication chap callin ppp chap hostname dialout ppp chap password ppp multilink multilink load-threshold 5 outbound end The dialer-group command specifies which dialer list to use. In the example, dialer-group 1 is linked to dialer-list 1 protocol ip permit, a global command that, like an access list, tells the router which traffic (in this case, all IP traffic) will trigger the dialer profile and thus the call. Alternatively, you can use an access list to filter out routing updates or allow only HTTP traffic (URL requests) to trigger a call. For more information on configuring dialer profiles, see dcdiprof.htm. Task 2. Configure the VPDN Group (L2TP Only) This task applies to L2TP dial-out only. In this task, you configure the VPDN group as a pool member of the dialer pool defined in the dialer profile in Task 1. On the VHG/PE, use the following command to configure the VPDN group as a pool member: Router (config-vpdn-group)# pool-member [pool number] In Example 3-4, the pool-member corresponds to the pool number in the dialer profile configured in Task 1. Example 3-4 VHG/PE VPDN Group Configuration vpdn-group V1.17 request-dialout protocol l2tp pool-member 4 initiate-to ip local name c72d2-2-v1.17 source-ip l2tp tunnel password <password> The l2tp tunnel password command overrides the default password in the local user database. You can also define a username for the local name in the global configuration. To do so, use this command: Router (config)# username c72d2-2-v1.17 password <password> 3-22
23 Chapter 3 Provisioning Dial-out Access Task 3. Configure a Static Route in the Customer VRF In this task, you configure the customer VRF (on the VHG/PE or NAS/PE) with a static route for this dial-out user. This will attract traffic to the appropriate remote CE. On the VHG/PE, in the customer VRF use this command to configure a static route for this dial-out user: Router (vrf)# ip route vrf [vpnname][ce ip address] Dialer50 permanent Task 4. Configure VPDN on the NAS (L2TP only) Perform the following steps to configure VPDN for dial-out on the NAS. See Example 3-5 for a configuration example. Enable VPDN: Router (config)# vpdn enable Configure the VPDN group to accept dial-out (when the VHG/PE requests a tunnel and attempts to trigger a session): a. Router (config)# vpdn-group [number] b. Router (config-vpdn)# accept-dialout c. Router (config-vpdn-acc-out)# protocol l2tp Router (config-vpdn-group-acc-out)# dialer 1 dialer 1 specifies the dialer that is used to dial out to the client. d. Router (config-vpdn-acc-out)# exit e. Router (config-vpdn)# terminate-from hostname [hostname] L2TP tunnels that have this hostname will be accepted. Step 3 Configure the tunnel secret to be used for VPN tunnel authentication for this VPDN group: Router (config)# l2tp tunnel password [tunnel password] The secret must match that used in the VPDN group on the VHG/PE or the entry in the local user password database. Step 4 On the dialer interface, enable dial-on-demand routing: Router (config-if)# dialer aaa This enables the dialer to use the AAA server to locate the profiles to use for dialing information. When the VHG/PE sends dialer string attributes, the rotary group will trigger the call. Step 5 On the physical dialer interface, use this command to reference the rotary group dialer 1: Router (config)# interface serial [physical dialer interface] 3-23
24 Sample Configurations Chapter 3 Router (config-ip)# dialer rotary-group 1 Example 3-5 NAS VPDN Group Configuration vpdn enable vpdn-group V1.17 accept-dialout protocol l2tp dialer 1 /*Specifies the dialer that is used to dial out to the client. */ terminate-from hostname c72d9-1-v1.4 /*Accepts L2TP tunnels that have this host name configured as a local name. */ l2tp tunnel password 7 <password> /*Configures the tunnel secret that will be used for VPN tunnel authentication for this VPN group. This password must match that configured in Task 2 in the VPDN group on the VHG/PE or the entry in the local user password database.*/ source-ip interface Dialer1 ip unnumbered Loopback0 encapsulation ppp no keepalive dialer in-band /*Enables DDR on Dialer */ dialer aaa /* Enables the dialer to use the AAA server to locate profiles for dialing information. */ dialer-group 1 no cdp enable ppp authentication chap callin Sample Configurations This section includes sample configurations. The examples are presented as illustrations only; your configuration specifics depend on how you are implementing remote access to MPLS VPN and will vary from what is presented here. The relevant commands for remote access to MPLS VPN are in bold and are described in italicized comments. Sample Configurations for L2TP Dial-In Sample NAS Configuration On the NAS, you configure the VPDN group that will bring up the L2TP tunnel to the VHG/PE. 3-24
25 Chapter 3 Sample Configurations All MPLS VPN-relevant commands are configured on the VHG/PE, not the NAS. Example 3-6 NAS Sample Configuration Router# show run version 12.2 no service pad service tcp-keepalives-in service timestamps debug datetime msec localtime service timestamps log datetime msec localtime no service password-encryption service internal hostname c54d2-1 enable secret <password>. enable password <password> username c54d2-1-v1.1 password 0 ww resource-pool disable call rsvp-sync dial-tdm-clock priority 1 6/0 - VPDN configuration: vpdn enable vpdn search-order domain dnis - Look up VPDN by domain and then by DNIS - Configuration for a VPDN group (in this example, V1.1): vpdn-group V1.1 request-dialin protocol l2tp domain V1.1.com initiate-to ip local name c54d2-1-v1.1 - Name used on this NAS, used on VHG in terminate-from hostname c54d2-1-v1.1 source-ip Loopback interface controller E1 6/0 pri-group timeslots 1-31 interface Loopback0 ip address interface FastEthernet0/0 ip address interface Serial6/0:15 no ip address encapsulation ppp dialer rotary-group 1 isdn switch-type primary-net5 ppp authentication chap callin interface Dialer1 ip unnumbered Loopback0 encapsulation ppp no ip route-cache no ip mroute-cache 3-25
26 Sample Configurations Chapter 3 dialer in-band ppp authentication chap callin router ospf 100 log-adjacency-changes network area 0 ip classless no ip http server ip pim bidir-enable line con 0 exec-timeout 0 0 logging synchronous line aux 0 logging synchronous line vty 0 4 exec-timeout 0 0 login end Sample VHG/PE Configuration In this example, the VHG/PE is configured to terminate L2TP sessions received from the NAS and query the RADIUS server for dial options authorized for a given dial-in user. Example 3-7 VHG/PE Sample Configuration Router# sh run version 12.2 service tcp-keepalives-in service timestamps debug datetime msec localtime service timestamps log datetime msec localtime no service password-encryption service internal hostname c72d2-2 - RADIUS request: aaa new-model aaa authentication login default none aaa authentication ppp default local group radius - Look for user name in local database, if not found, look on RADIUS aaa authorization network default local group radius - Similarly for network authorization aaa authorization configuration default group radius aaa accounting network default start-stop group radius aaa session-id common enable secret <password> enable password <password> - Authenticate user and L2TP tunnel locally: username c72d2-2 password 0 ww ( since no local name defined on vpdn group in this example the VHG/PE will use its hostname as the username in the L2TP authentication process for the tunnel) ip subnet-zero ip vrf V1.1.com rd 1:1 route-target export 1:1 3-26
27 Chapter 3 Sample Configurations route-target import 1:1 vpdn enable vpdn search-order domain dnis - Bind the user coming from NAS c54d2-1-v1.1 to this profile (V1.1.) and use virtual template 1: vpdn-group V1.1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname c54d2-1-v1.1 lcp renegotiation always source-ip that the VHG/PE clones a virtual access interface (a set of generic IOS commands) from the specified virtual template. If per-user configuration is also used (through the virtual-profile aaa command), the VHG/PE queries the RADIUS server to authenticate the PPP user with a username and password. tag-switching tdp router-id Loopback0 interface Loopback0 ip address interface Loopback1 ip vrf forwarding V1.1.com ip address interface FastEthernet0/0 ip address interface POS5/0 ip address tag-switching ip - Configuration from the template; multilink is enabled interface Virtual-Template1 no peer default ip address ppp authentication chap callin ppp multilink router ospf 100 log-adjacency-changes network area 0 router bgp 100 no synchronization bgp log-neighbor-changes neighbor remote-as 100 neighbor update-source Loopback0 neighbor soft-reconfiguration inbound neighbor remote-as 100 neighbor update-source Loopback0 no auto-summary address-family ipv4 vrf V1.1.com redistribute connected metric 1 no auto-summary no synchronization exit-address-family address-family vpnv4 neighbor activate neighbor send-community extended 3-27
Configuring Remote Access to MPLS VPN
CHAPTER 3 TheCisco 10000 series router supports the IP virtual private network (VPN) feature for Multiprotocol Label Switching (MPLS). MPLS-based VPNs allow service providers to deploy a scalable and cost-effective
More informationMPLS. Cisco MPLS. Cisco Router Challenge 227. MPLS Introduction. The most up-to-date version of this test is at: http://networksims.com/i01.
MPLS Cisco MPLS MPLS Introduction The most up-to-date version of this test is at: http://networksims.com/i01.html Cisco Router Challenge 227 Outline This challenge involves basic frame-mode MPLS configuration.
More informationSupporting Document LNS Configuration
Supporting Document LNS Configuration Swisscom (Schweiz) AG Version 1-0 15.112010 Inhalt 1 General... 3 1.1 Appendix A: Load Balancing between POPs... 3 1.2 Appendix B: Examples of LNS and BGP Configurations...
More informationConfiguring Dial Backup and Remote Management
13 CHAPTER Configuring Dial Backup and Remote Management The Cisco 800 series access routers support dial-in (for remote management) and dial-out (for dial backup) capabilities. By allowing you to configure
More informationConfiguring a Basic MPLS VPN
Configuring a Basic MPLS VPN Help us help you. Please rate this document. Contents Introduction Conventions Hardware and Software Versions Network Diagram Configuration Procedures Enabling Configuring
More informationMPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre
The feature overcomes the requirement that a carrier support multiprotocol label switching (MPLS) by allowing you to provide MPLS connectivity between networks that are connected by IP-only networks. This
More informationConfigure Allied Telesis and Cisco routers to interoperate over L2TP
How To Configure Allied Telesis and Cisco routers to interoperate over L2TP Introduction This document covers a range of examples on how to configure Allied Telesis and Cisco routers to interoperate over
More informationMPLS VPN Implementation
MPLS VPN Implementation Overview Virtual Routing and Forwarding Table VPN-Aware Routing Protocols VRF Configuration Tasks Configuring BGP Address families Configuring BGP Neighbors Configuring MP-BGP Monitoring
More informationIntegration Solutions Guide for Managed Broadband Access Using MPLS VPNs for Cable Multiservice Operators
Integration Solutions Guide for Managed Broadband Access Using MPLS VPNs for Cable Multiservice Operators This document describes a secure, scalable, managed broadband access system utilizing multiprotocol
More informationMPLS Configration 事 例
MPLS Configration 事 例 JANOG6 MPLSパネル グローバルワン 株 式 会 社 06/16/2000 JANOG6 MPLS Pannel 1 MPLS Configration なにが 必 要?(Ciscoしかわかりません) IOSは12.0(7) T 以 上 がいい PEは3600, 4500, 7200, and 7500 PはCisco LS1010, 7200,
More informationTable of Contents. Cisco Configuring a Basic MPLS VPN
Table of Contents Configuring a Basic MPLS VPN...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...2 Related Products...2 Conventions...2 Configure...3 Network Diagram...3 Configuration
More informationL2TP Dial-Out Load Balancing and Redundancy
L2TP Dial-Out Load Balancing and Redundancy The L2TP Dial-Out Load Balancing and Redundancy feature enables an L2TP network server (LNS) to dial out to multiple L2TP access concentrators (LACs) When the
More informationConfiguring ISDN Special Signaling
Configuring ISDN Special Signaling This chapter describes features that either depend on special signaling services offered by an ISDN network service provider or overcome an inability to deliver certain
More informationMPLS-based Layer 3 VPNs
MPLS-based Layer 3 VPNs Overall objective The purpose of this lab is to study Layer 3 Virtual Private Networks (L3VPNs) created using MPLS and BGP. A VPN is an extension of a private network that uses
More informationConfiguring Modem Transport Support for VoIP
Configuring Modem Transport Support for VoIP This chapter explains how to configure modem transport support for Voice over IP (VoIP) and contains the following sections: Modem Transport Support Overview,
More informationRemote Access VPN Business Scenarios
CHAPTER 4 This chapter explains the basic tasks for configuring an IP-based, remote access Virtual Private Network (VPN) on a Cisco 7200 series router. In the remote access VPN business scenario, a remote
More informationBRI to PRI Connection Using Data Over Voice
BRI to PRI Connection Using Data Over Voice Document ID: 14962 Contents Introduction Prerequisites Requirements Conventions Background Information Configure Network Diagram Configurations Verify Troubleshoot
More informationOverview of Dial Interfaces, Controllers, and Lines
Overview of Dial Interfaces, Controllers, and Lines This chapter describes the different types of software constructs, interfaces, controllers, channels, and lines that are used for dial-up remote access.
More informationConfiguring a Leased Line
CHAPTER 4 Configuring a Leased Line The configuration in this chapter describes how to configure a Cisco 1700 router for IP and IPX over a synchronous serial line. Before You Begin The configuration in
More informationConfiguring MPLS Hub-and-Spoke Layer 3 VPNs
CHAPTER 23 This chapter describes how to configure a hub-and-spoke topology for Multiprotocol Layer Switching (MPLS) Layer 3 virtual private networks (VPNs) on Cisco NX-OS devices. This chapter includes
More informationRoute-Switch-Controller Handover Redundancy on the Cisco AS5850
Route-Switch-Controller Handover Redundancy on the Cisco AS5850 Feature History Release Modification 122(2)XB1 This feature was introduced on the Cisco AS5850 122(11)T This feature was integrated into
More informationImplementing MPLS VPNs over IP Tunnels on Cisco IOS XR Software
Implementing MPLS VPNs over IP Tunnels on Cisco IOS XR Software The MPLS VPNs over IP Tunnels feature lets you deploy Layer 3 Virtual Private Netwk (L3VPN) services, over an IP ce netwk, using L2TPv3 multipoint
More informationOBJECTIVES This paper examines how NetFlow is implemented on logical interfaces. Logical interfaces can be divided into two groups:
Configuration Guide NetFlow on Logical Interfaces: Frame Relay, Asynchronous Transfer Mode, Inter-Switch Link, 802.1q, Multilink Point to Point Protocol, General Routing Encapsulation, Layer 2 Tunneling
More informationInter-Autonomous Systems for MPLS VPNs
Inter-Autonomous Systems for MPLS VPNs This feature module explains how to provide MPLS VPN services that can span several autonomous systems (ASs) and VPN service providers. History of the Inter-Autonomous
More informationHow To Configure A Cisco Router With A Cio Router
CHAPTER 1 This chapter provides procedures for configuring the basic parameters of your Cisco router, including global parameter settings, routing protocols, interfaces, and command-line access. It also
More informationFrame Mode MPLS Implementation
CHAPTER 4 Frame Mode MPLS Implementation Lab 4-1: Configuring Frame Mode MPLS (4.5.1) In this lab, you learn how to do the following: Configure EIGRP on a router. Configure LDP on a router. Change the
More informationImplementing MPLS VPNs over IP Tunnels
Implementing MPLS VPNs over IP Tunnels The MPLS VPNs over IP Tunnels feature lets you deploy Layer 3 Virtual Private Netwk (L3VPN) services, over an IP ce netwk, using L2TPv3 multipoint tunneling instead
More informationIP Tunneling and VPNs
IP Tunneling and VPNs Overview Objectives The purpose of this module is to explain Virtual Private Network (VPN) concepts and to overview various L2 and L3 tunneling techniques that allow for implementation
More informationIPv4/IPv6 Transition Mechanisms. Luka Koršič, Matjaž Straus Istenič
IPv4/IPv6 Transition Mechanisms Luka Koršič, Matjaž Straus Istenič IPv4/IPv6 Migration Both versions exist today simultaneously Dual-stack IPv4 and IPv6 protocol stack Address translation NAT44, LSN, NAT64
More informationMPLS VPN. Agenda. MP-BGP VPN Overview MPLS VPN Architecture MPLS VPN Basic VPNs MPLS VPN Complex VPNs MPLS VPN Configuration (Cisco) L86 - MPLS VPN
MPLS VPN Peer to Peer VPN s Agenda MP-BGP VPN Overview MPLS VPN Architecture MPLS VPN Basic VPNs MPLS VPN Complex VPNs MPLS VPN Configuration (Cisco) CE-PE OSPF Routing CE-PE Static Routing CE-PE RIP Routing
More informationCisco Configuring Basic MPLS Using OSPF
Table of Contents Configuring Basic MPLS Using OSPF...1 Introduction...1 Mechanism...1 Hardware and Software Versions...2 Network Diagram...2 Configurations...2 Quick Configuration Guide...2 Configuration
More informationBGP Link Bandwidth. Finding Feature Information. Prerequisites for BGP Link Bandwidth
The Border Gateway Protocol (BGP) Link Bandwidth feature is used to advertise the bandwidth of an autonomous system exit link as an extended community. This feature is configured for links between directly
More informationMPLS VPN Route Target Rewrite
The feature allows the replacement of route targets on incoming and outgoing Border Gateway Protocol (BGP) updates Typically, Autonomous System Border Routers (ASBRs) perform the replacement of route targets
More informationLab 4.2 Challenge Lab: Implementing MPLS VPNs
Lab 4.2 Challenge Lab: Implementing MPLS VPNs Learning Objectives Configure Open Shortest Path First (OSPF) and Enhanced Interior Gateway Routing Protocol (EIGRP) on a router Enable MPLS on a router Verify
More informationTesting Juniper Networks M40 Router MPLS Interoperability with Cisco Systems 7513 and 12008 Routers
Interoperability Test Paper Testing Juniper Networks M40 Router MPLS Interoperability with Cisco Systems 7513 and 12008 Routers Mark Anderson, Systems Engineer Annette Kay Donnell, Marketing Engineer Juniper
More informationThis feature was introduced. This feature was integrated in Cisco IOS Release 12.2(11)T.
BGP Link Bandwidth The Border Gateway Protocol (BGP) Link Bandwidth feature is used to advertise the bandwidth of an autonomous system exit link as an extended community. This feature is configured for
More informationMultiprotocol Label Switching Load Balancing
Multiprotocol Label Switching Load Balancing First Published: July 2013 The Cisco ME 3800 and ME 3600 switches support IPv4 and IPv6 load balancing at the LER and LSR. Effective with Cisco IOS Release
More informationLeased Line Support for Cisco 2600/3600 Series Analog Modems
Leased Line Support for Cisco 2600/3600 Series Analog Modems This feature adds one modem AT command (AT&L) and two AT registers to be added to the modemcap for the appropriate leased lines. Several new
More informationBGP Link Bandwidth. Finding Feature Information. Contents
The BGP (Border Gateway Protocol) Link Bandwidth feature is used to advertise the bandwidth of an autonomous system exit link as an extended community. This feature is configured for links between directly
More informationNotice the router names, as these are often used in MPLS terminology. The Customer Edge router a router that directly connects to a customer network.
Where MPLS part I explains the basics of labeling packets, it s not giving any advantage over normal routing, apart from faster table lookups. But extensions to MPLS allow for more. In this article I ll
More informationEnabling Management Protocols: NTP, SNMP, and Syslog
SECTION 7 Enabling Management Protocols: NTP, SNMP, and Syslog In this Section This section describes how to enable basic management protocols on a Cisco AS5800 and Cisco AS5300 as part of a dial access
More information- Multiprotocol Label Switching -
1 - Multiprotocol Label Switching - Multiprotocol Label Switching Multiprotocol Label Switching (MPLS) is a Layer-2 switching technology. MPLS-enabled routers apply numerical labels to packets, and can
More informationLab 7.2.9 Load Balancing Across Multiple Paths Instructor Version 2500
Lab 7.2.9 Load Balancing Across Multiple Paths Instructor Version 2500 Objective onfigure Load balance across multiple paths. Observe the load balancing process. Background/Preparation able a network similar
More informationTask 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.
Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1. Task 20.2: Configure an access-list to block all networks addresses that is commonly used to hack SP networks. Task 20.3:
More informationN2X Core Routing - BGP-4 MPLS VPN scenario with integrated traffic Application Note
Agilent N2X N2X Core Routing - BGP-4 MPLS VPN scenario with integrated traffic Application Note Introduction Test Objective The objective of this application note is to demonstrate the power of N2X (in
More informationConfiguring Fax Pass-Through
Configuring Fax Pass-Through This chapter describes the configuration of fax pass-through. With fax pass-through, modulated fax information from the PSTN is passed in-band over a voice speech path in an
More informationConfigure ISDN Backup and VPN Connection
Case Study 2 Configure ISDN Backup and VPN Connection Cisco Networking Academy Program CCNP 2: Remote Access v3.1 Objectives In this case study, the following concepts are covered: AAA authentication Multipoint
More informationNote: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.
Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials. CHAPTER 5 OBJECTIVES Configure a router with an initial configuration. Use the
More informationRADIUS Vendor-Specific Attributes (VSA)
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific
More informationS-38.3192 ITGuru Exercise (3: Building the MPLS BGP VPN) Spring 2006
S-38.3192 ITGuru Exercise (3: Building the MPLS BGP VPN) Spring 2006 Original version: Johanna Nieminen and Timo Viipuri (2005) Modified: Timo-Pekka Heikkinen, Juha Järvinen and Yavor Ivanov (2006) Task
More informationNetwork Scenarios Pagina 1 di 35
Network Scenarios Pagina 1 di 35 Table of Contents Network Scenarios Cisco 827 s Network Connections Internet Access Scenarios Before You Configure Your Internet Access Network Replacing a Bridge or Modem
More informationHow To Import Ipv4 From Global To Global On Cisco Vrf.Net (Vf) On A Vf-Net (Virtual Private Network) On Ipv2 (Vfs) On An Ipv3 (Vv
BGP Support for IP Prefix Import from Global Table into a VRF Table The BGP Support for IP Prefix Import from Global Table into a VRF Table feature introduces the capability to import IPv4 unicast prefixes
More informationIntroduction Inter-AS L3VPN
Introduction Inter-AS L3VPN 1 Extending VPN services over Inter-AS networks VPN Sites attached to different MPLS VPN Service Providers How do you distribute and share VPN routes between ASs Back- to- Back
More informationPRASAD ATHUKURI Sreekavitha engineering info technology,kammam
Multiprotocol Label Switching Layer 3 Virtual Private Networks with Open ShortestPath First protocol PRASAD ATHUKURI Sreekavitha engineering info technology,kammam Abstract This paper aims at implementing
More informationMPLS Implementation MPLS VPN
MPLS Implementation MPLS VPN Describing MPLS VPN Technology Objectives Describe VPN implementation models. Compare and contrast VPN overlay VPN models. Describe the benefits and disadvantages of the overlay
More informations@lm@n Cisco Exam 642-889 Implementing Cisco Service Provider Next-Generation Egde Network Services Version: 7.0 [ Total Questions: 126 ]
s@lm@n Cisco Exam 642-889 Implementing Cisco Service Provider Next-Generation Egde Network Services Version: 7.0 [ Total Questions: 126 ] Cisco 642-889 : Practice Test Question No : 1 Refer to the exhibit.
More informationConfiguring Asynchronous SLIP and PPP
Configuring Asynchronous SLIP and PPP This chapter describes how to configure asynchronous Serial Line Internet Protocol (SLIP) and PPP. It includes the following main sections: Asynchronous SLIP and PPP
More informationCisco 2621 Gateway-PBX Interoperability: Lucent/Avaya Definity G3si V7 PBX with Cisco CallManager Using T1 PRI NI-2 for an H.
Application Note Cisco 2621 Gateway-PBX Interoperability: Lucent/Avaya Definity G3si V7 PBX with Cisco CallManager Using T1 PRI NI-2 for an H.323 Gateway Introduction This document describes the interoperability
More informationIntroducing Basic MPLS Concepts
Module 1-1 Introducing Basic MPLS Concepts 2004 Cisco Systems, Inc. All rights reserved. 1-1 Drawbacks of Traditional IP Routing Routing protocols are used to distribute Layer 3 routing information. Forwarding
More informationco Sample Configurations for Cisco 7200 Broadband Aggreg
co Sample Configurations for Cisco 7200 Broadband Aggreg Table of Contents Sample Configurations for Cisco 7200 Broadband Aggregation...1 Introduction...1 Configurations...1 PPPoA Session Termination:
More informationIPv6 over MPLS VPN. Contents. Prerequisites. Document ID: 112085. Requirements
IPv6 over MPLS VPN Document ID: 112085 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram VRF Configuration Multiprotocol BGP (MP BGP) Configuration
More informationLab Configuring Syslog and NTP (Instructor Version)
(Instructor Version) Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only. Topology Addressing Table Objectives Device Interface IP Address Subnet Mask
More informationLAN-Cell to Cisco Tunneling
LAN-Cell to Cisco Tunneling Page 1 of 13 LAN-Cell to Cisco Tunneling This Tech Note guides you through setting up a VPN connection between a LAN-Cell and a Cisco router. As the figure below shows, the
More informationBGP Multipath Load Sharing for Both ebgp and ibgp in an MPLS-VPN
BGP Multipath Load Sharing for Both ebgp and ibgp in an MPLS-VPN The BGP Multipath Load Sharing for ebgp and ibgp feature allows you to configure multipath load balancing with both external BGP (ebgp)
More informationCox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]
Cox Managed CPE Services RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft] September, 2015 2015 by Cox Communications. All rights reserved. No part of this document may be reproduced or transmitted
More information7750 SR OS System Management Guide
7750 SR OS System Management Guide Software Version: 7750 SR OS 10.0 R4 July 2012 Document Part Number: 93-0071-09-02 *93-0071-09-02* This document is protected by copyright. Except as specifically permitted
More informationConfiguration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example
Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example Document ID: 113337 Contents Introduction Prerequisites Requirements Components Used Conventions Configuration
More informationConfiguring Enhanced Object Tracking
Configuring Enhanced Object Tracking First Published: May 2, 2005 Last Updated: July 1, 2009 Before the introduction of the Enhanced Object Tracking feature, the Hot Standby Router Protocol (HSRP) had
More informationProvisioning Cable Services
CHAPTER 10 This chapter describes how to provision MPLS VPN cable in IP Solutions Center (ISC). It contains the following sections: Overview of MPLS VPN Cable, page 10-1 in ISC, page 10-5 Creating the
More informationSimple MPLS network topology for Dynamips/Olive
Simple MPLS network topology for Dynamips/Olive R1 version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname R1 boot-start-marker
More informationAnalyzing Capabilities of Commercial and Open-Source Routers to Implement Atomic BGP
Telfor Journal, Vol. 2, No. 1, 2010. 13 Analyzing Capabilities of Commercial and Open-Source Routers to Implement Atomic BGP Aleksandar Cvjetić and Aleksandra Smiljanić Abstract The paper analyzes implementations
More informationHow to Configure Cisco 2600 Routers
Helsinki University of Technology Department of Communications and Networking How to Configure Cisco 2600 Routers Juha Järvinen 10.6.2004 Juha.Jarvinen@netlab.hut.fi Modified by Zhong Yunqiu 7.8.2008 Table
More informationApproach to build MPLS VPN using QoS capabilities
International Journal of Engineering Research and Development e-issn: 2278-067X, p-issn: 2278-800X, www.ijerd.com Volume 7, Issue 8 (June 2013), PP. 26-32 Approach to build MPLS VPN using QoS capabilities
More informationConfiguring Timeout, Retransmission, and Key Values Per RADIUS Server
Configuring Timeout, Retransmission, and Key Values Per RADIUS Server Feature Summary The radius-server host command functions have been extended to include timeout, retransmission, and encryption key
More informationIntegrated Data and Voice Services for ISDN PRI Interfaces on Multiservice Access Routers
Integrated Data and Voice Services for ISDN PRI Interfaces on Multiservice Access Routers This chapter describes how to configure ISDN PRI interfaces to support the integration of data and voice calls
More informationImplementing Secured Converged Wide Area Networks (ISCW) Version 1.0
COURSE OVERVIEW Implementing Secure Converged Wide Area Networks (ISCW) v1.0 is an advanced instructor-led course that introduces techniques and features that enable or enhance WAN and remote access solutions.
More informationObjectives. Router as a Computer. Router components and their functions. Router components and their functions
2007 Cisco Systems, Inc. All rights reserved. Cisco Public Objectives Introduction to Routing and Packet Forwarding Routing Protocols and Concepts Chapter 1 Identify a router as a computer with an OS and
More informationSupported Platforms. Supported Standards, MIBs, and RFCs. Prerequisites. Related Features and Technologies. Related Documents. Improved Server Access
Configuring Timeout, Retransmission, and Key Values per RADIUS Server The Configuring Timeout, Retransmission, and Key Values per RADIUS Server feature extends the functionality of the existing radius-server
More informationTroubleshooting Cisco Remote Access to MPLS VPN Integration 2.0
Troubleshooting Cisco Remote Access to MPLS VPN Integration 2.0 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS
More informationHow To Set Up Bgg On A Network With A Network On A Pb Or Pb On A Pc Or Ipa On A Bg On Pc Or Pv On A Ipa (Netb) On A Router On A 2
61200860L1-29.4E March 2012 Configuration Guide Configuring Border Gateway Protocol in AOS for Releases Prior to 18.03.00/R10.1.0 This guide only addresses BGP in AOS data products using AOS firmware prior
More informationUsing OSPF in an MPLS VPN Environment
Using OSPF in an MPLS VPN Environment Overview This module introduces the interaction between multi-protocol Border Gateway Protocol (MP-BGP) running between Provider Edge routers (s) and Open Shortest
More informationBenoit Lourdelet Cisco Systems Cisco IOS IPv6 Technical Marketing Engineer blourdel@cisco.com. 2003, Cisco Systems, Inc. All rights reserved.
Benoit Lourdelet Cisco Systems Technical Marketing Engineer blourdel@cisco.com 1 A Today s Network Infrastructure MPLS technology selected as existing core infrastructure Current services are MPLS/VPN,
More informationAPNIC Members Training Course Security workshop. 2-4 July, 2008. Port Vila Vanuatu. In conjunction with PACNOG 4
APNIC Members Training Course Security workshop 2-4 July, 2008 Port Vila Vanuatu In conjunction with PACNOG 4 Router device security lab 1. APNIC s remote lab In these exercises you will be remotely accessing
More informationConfiguring Access Service Security
CHAPTER 3 Configuring Access Service Security The access service security paradigm presented in this guide uses the authentication, authorization, and accounting (AAA) facility. Authentication requires
More informationExam Name: BGP + MPLS Exam Exam Type Cisco Case Studies: 3 Exam Code: 642-691 Total Questions: 401
Question: 1 Every time a flap occurs on a route, the route receives A. 750 per-flap penalty points which are user configurable B. 1500 per-flap penalty points which are user configurable C. 200 per-flap
More informationWhy Is MPLS VPN Security Important?
MPLS VPN Security An Overview Monique Morrow Michael Behringer May 2 2007 Future-Net Conference New York Futurenet - MPLS Security 1 Why Is MPLS VPN Security Important? Customer buys Internet Service :
More informationCisco Which VPN Solution is Right for You?
Table of Contents Which VPN Solution is Right for You?...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1 Components Used...1 NAT...2 Generic Routing Encapsulation Tunneling...2
More informationYou can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource
The feature enables the configuration of a Virtual Private Network (VPN) routing and forwarding instance (VRF) table so that the domain name system (DNS) can forward queries to name servers using the VRF
More informationAuthenticating a Lucent Portmaster 3 with Microsoft IAS and Active Directory
Authenticating a Lucent Portmaster 3 with Microsoft IAS and Active Directory The following tutorial will help you to setup a Portmaster 3 to authenticate your dial in users to Active Directory using IAS
More informationImplementing Cisco MPLS
Implementing Cisco MPLS Course MPLS v2.3; 5 Days, Instructor-led Course Description This design document is for the refresh of the Implementing Cisco MPLS (MPLS) v2.3 instructor-led training (ILT) course,
More informationNetwork Security and AAA
ICT Technical Update Module Network Security and AAA Prof. Dr Harsha Sirisena Electrical and Computer Engineering University of Canterbury AAA Introduction Overview A network administrator may allow remote
More informationSEC-370. 2001, Cisco Systems, Inc. All rights reserved.
SEC-370 2001, Cisco Systems, Inc. All rights reserved. 1 Understanding MPLS/VPN Security Issues SEC-370 Michael Behringer SEC-370 2003, Cisco Systems, Inc. All rights reserved. 3
More informationNetwork Simulator Lab Study Plan
The CCNA 640-802 Network Simulator has 300 lab exercises, organized both by type (Skill Builder, Configuration Scenario, Troubleshooting Scenario, and Subnetting Exercise) and by major topic within each
More informationl.cittadini, m.cola, g.di battista
MPLS VPN l.cittadini, m.cola, g.di battista motivations customer s problem a customer (e.g., private company, public administration, etc.) has several geographically distributed sites and would like to
More informationRA-MPLS VPN Services. Kapil Kumar Network Planning & Engineering Data. E-mail: Kapil.Kumar@relianceinfo.com
RA-MPLS VPN Services Kapil Kumar Network Planning & Engineering Data E-mail: Kapil.Kumar@relianceinfo.com Agenda Introduction Why RA MPLS VPNs? Overview of RA MPLS VPNs Architecture for RA MPLS VPNs Typical
More informationMPLS Multi-Vendor Provisioning. Presented by Brian O Sullivan Director, Product Management Dorado Software October 21, 2003
MPLS Multi-Vendor Provisioning Presented by Brian O Sullivan Director, Product Management Dorado Software October 21, 2003 1 Agenda Why Interoperability? Types of VPNs Industry Standards Interoperability
More informationAMPLS - Advanced Implementing and Troubleshooting MPLS VPN Networks v4.0
Course Outline AMPLS - Advanced Implementing and Troubleshooting MPLS VPN Networks v4.0 Module 1: MPLS Features Lesson 1: Describing Basic MPLS Concepts Provide an overview of MPLS forwarding, features,
More informationFor internal circulation of BSNLonly
E3-E4 E4 E&WS Overview of MPLS-VPN Overview Traditional Router-Based Networks Virtual Private Networks VPN Terminology MPLS VPN Architecture MPLS VPN Routing MPLS VPN Label Propagation Traditional Router-Based
More informationActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook
ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access Integration Handbook Document Version 1.1 Released July 16, 2012 ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access
More informationAbout This Guide. Document Objectives. Audience
About This Guide This preface describes the objectives, audience, organization, and conventions of the Cisco 1600 Series Software Configuration Guide. Cisco documentation and additional literature are
More information